I suppose this post is more about two-factor authentication than just
FIDO2. I'll probably change the title.

Recently I watched a video[0] on the failings of passwords and the
practicality of 2FA. I had the misfortune of having one of my G
accounts stolen (ironically my emergency accont) without a way to get
it back after several weeks of trying (thanks, big G). I immediately
(over?)reacted and added 2FA to virtually everything I could. It's
somewhat annoying, but I'd rather deal with that than what happened
with that G account.

So now I'm being told that 2FA ain't that great, either. Well, that
sucks. But the aforementioned video mentioned FIDO U2F USB keys.
They're pretty decent, although it took a bit too long for me to get
it up and running in Mint for me to be totally happy. An exacerbating
issue was me being an idiot and inserting the key the wrong way (in my
defense, my tower is completely blocked by my USB-less monitor). After
around 7 or 8 reboots and different browsers, I finally added the key
to my G account... and nothing else. It's good, but IDK how practical
it is. I still have SMS codes on, which provides a convenient segue.

Like all security solutions, this SoloKey (that's the indie brand that
evidently started with crowdfunding) isn't a panacea. The cons of this
added security is that I can't really secure my G account with it. I
read my email using Mutt (great program), but to do that, I have to
disable "advanced" security features for that app. If I wanted to
really secure my account with that key, I would have to use the
webmail portal or some clunky GUI email program (AFAIK). That really
sucks. So I'm stuck with using a less-safe password.

It's also problematic if I happen to lose the key. It's doubtful and
unlikely, but it's possible. The solution offered is to buy multiple
keys, which, at at least $25 a pop, starts to add up real fast. And
what happens if the backup is stolen? While unlikely, again, I would
have to deregister every account (which is so far just one). Most of
the companies that actually allow FIDO are pretty few, so this isn't
great for that, too. Amazon, as usual, seems to be late to the party:
you can't, AFAIK, use a FIDO key to log in or secure your shopping
account. I think they do have it so you can apply it to AWS apps. I'm
not too sure, so take that "factoid" with a grain of salt.

This has made me appreciate so much the system that Circumlunar
(slugmax) has implemented with key pairs. It's much like the USB key,
but all you need is the private key saved in your ssh directory. ~~~
In other news, I found some more gopher holes[1]. Suckless now has a
sort of code repo just using the gopher protocol. That's awesome.
There's a fairly broken gopher translation of CreateAForum.com, which
seems to be at least 5 years deserted, but it's still cool to see.


0: https://invidious.snopyta.org/watch?v=ze2i9V1_aIc
1: gopher://gopher.floodgap.com/1/world/last-hit